Cluster-based decision boundaries for threat detection in industrial asset control system

ABSTRACT

According to some embodiments, a threat detection model creation computer may receive a series of monitoring node values (representing normal and/or threatened operation of the industrial asset control system) and generate a set of normal feature vectors. The threat detection model creation computer may identify a first cluster and a second cluster in the set of feature vectors. The threat detection model creation computer may then automatically determine a plurality of cluster-based decision boundaries for a threat detection model. For example, a first potential cluster-based decision boundary for the threat detection model may be automatically calculated based on the first cluster in the set of feature vectors. Similarly, the threat detection model creation computer may also automatically calculate a second potential cluster-based decision boundary for the threat detection model based on the second cluster in the set of feature vectors.

BACKGROUND

Industrial asset control systems that operate physical systems (e.g.,associated with power turbines, jet engines, locomotives, autonomousvehicles, etc.) are increasingly connected to the Internet. As a result,these control systems may be vulnerable to threats, such ascyber-attacks (e.g., associated with a computer virus, malicioussoftware, etc.), that could disrupt electric power generation anddistribution, damage engines, inflict vehicle malfunctions, etc. Currentmethods primarily consider threat detection in Information Technology(“IT,” such as, computers that store, retrieve, transmit, manipulatedata) and Operation Technology (“OT,” such as direct monitoring devicesand communication bus interfaces). Cyber-threats can still penetratethrough these protection layers and reach the physical “domain” as seenin 2010 with the Stuxnet attack. Such attacks can diminish theperformance of a control system and may cause a total shut down or evencatastrophic damage to a plant. Currently, Fault Detection Isolation andAccommodation (“FDIA”) approaches only analyze sensor data, but a threatmight occur in connection with other types of threat monitoring nodes.Also note that FDIA is limited only to naturally occurring faults in onesensor at a time. FDIA systems do not address multiple simultaneouslyoccurring faults as in the case of malicious attacks. Moreover,industrial assets may operate in various states (e.g. associated withdifferent Mega Watt (“MW”) levels, temperatures, etc.) and differentstates might exhibit different normal operating characteristics. As aresult, creation of a suitable threat detection system can bedifficult—especially when a substantial number of monitoring nodes ofdifferent types are evaluated and states of operation need to beconsidered. It would therefore be desirable to facilitate creation of asuitable threat detection system to protect an industrial asset controlsystem from cyber threats in an automatic and accurate manner.

SUMMARY

According to some embodiments, a threat detection model creationcomputer may receive a series of monitoring node values (representingnormal and/or threatened operation of the industrial asset controlsystem) and generate a set of normal feature vectors. The threatdetection model creation computer may then automatically determine aplurality of potential cluster-based decision boundaries for a threatdetection model.

Some embodiments comprise: means for receiving, from a space data sourcefor each of a plurality of monitoring nodes, a series of monitoring nodevalues over time that represent at least one of: (i) a normal operationof the industrial asset control system, and (ii) a threatened operationof the industrial asset control system; means for automaticallydetermining a plurality of potential cluster-based decision boundariesfor a threat detection model based on the first cluster in the set offeature vectors. Moreover, some embodiments might be associated with:means for receiving streams of monitoring node signal values over timethat represent a current operation of the industrial asset controlsystem; for each stream of monitoring node signal values, means forgenerating a current monitoring node feature vector; means for selectingan appropriate decision boundary, the appropriate decision boundaryseparating a normal state from an abnormal state for that monitoringnode in association with a cluster; means for comparing the generatedcurrent monitoring node feature vectors with the selected appropriatedecision boundary; and means for automatically transmitting a threatalert signal based on results of said comparisons.

Some technical advantages of some embodiments disclosed herein areimproved systems and methods to facilitate creation of a suitable threatdetection system to protect an industrial asset control system fromcyber threats in an automatic and accurate manner.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a high-level block diagram of a system that may be provided inaccordance with some embodiments.

FIG. 2 is a method according to some embodiments.

FIG. 3 is threat alert system in accordance with some embodiments.

FIGS. 4 through 6 illustrate boundaries and feature vectors for variousmonitoring node parameters according to some embodiments.

FIG. 7 illustrates a block diagram view of a cyber-attack detectionsystem in accordance with some embodiments.

FIG. 8 is an example of a global threat protection system in accordancewith some embodiments.

FIG. 9 is a training method for threat detection according to someembodiments.

FIG. 10 illustrates clustered data in a two dimensional feature space inaccordance with some embodiments.

FIG. 11 illustrates normal and attack data in a two-dimensional featurespace according to some embodiments.

FIG. 12 illustrates normal data in a two-dimensional feature space inaccordance with some embodiments.

FIG. 13 is an operating method for threat detection according to someembodiments.

FIG. 14 is a block diagram of an industrial asset control systemprotection platform according to some embodiments of the presentinvention.

FIG. 15 is a tabular portion of a local database in accordance with someembodiments.

FIG. 16 is a tabular portion of global database in accordance with someembodiments.

FIG. 17 is a tabular portion of a monitoring node database according tosome embodiments.

FIG. 18 is a display according to some embodiments.

DETAILED DESCRIPTION

In the following detailed description, numerous specific details are setforth in order to provide a thorough understanding of embodiments.However it will be understood by those of ordinary skill in the art thatthe embodiments may be practiced without these specific details. Inother instances, well-known methods, procedures, components and circuitshave not been described in detail so as not to obscure the embodiments.

Industrial control systems that operate physical systems areincreasingly connected to the Internet. As a result, these controlsystems may be vulnerable to threats and, in some cases, multipleattacks may occur simultaneously. Existing approaches to protect anindustrial control system, such as FDIA approaches, may not adequatelyaddress these threats—especially when a substantial number of monitoringnodes of different types are evaluated and various states of operationneed to be considered. Moreover, the operational space of cyber-physicalsystems may be non-linear (e.g., a gas turbine running at differentloads of 40 MW to 180 MW may exhibit non-linear characteristics).Moreover, collected data from various monitoring nodes (e.g., sensors)may be skewed, which can create problems when an accurate detectionalgorithm needs to perform under various operational conditions and/ordata conditions.

It would therefore be desirable to facilitate creation of a suitablethreat detection system to protect an industrial asset control systemfrom cyber threats in an automatic and accurate manner. FIG. 1 is ahigh-level architecture of a system 100 in accordance with someembodiments. The system 100 may include a “normal space” data source 110and a “threatened space” data source 120. The normal space data source110 might store, for each of a plurality of “monitoring nodes” 130, aseries of normal values over time that represent normal operation of anindustrial asset control system (e.g., generated by a model or collectedfrom actual monitoring node 130 data as illustrated by the dashed linein FIG. 1). As used herein, the phrase “monitoring node” might refer to,for example, sensor data, signals sent to actuators, motors, pumps, andauxiliary equipment, intermediary parameters that are not direct sensorsignals not the signals sent to auxiliary equipment, and/or controlcommands. These may represent, for example, threat monitoring nodes thatreceive data from the threat monitoring system in a continuous fashionin the form of continuous signals or streams of data or combinationsthereof. Moreover, the nodes may be used to monitor occurrences ofcyber-threats or abnormal events. This data path may be designatedspecifically with encryptions or other protection mechanisms so that theinformation may be secured and cannot be tampered with viacyber-attacks. The threatened space data source 120 might store, foreach of the monitoring nodes 130, a series of threatened values thatrepresent a threatened operation of the industrial asset control system(e.g., when the system is experiencing a cyber-attack). Although both anormal space data source 110 and a threatened space data source 120 areillustrated in FIG. 1, note that embodiments might instead be associatedwith a single space data source (e.g., containing only normal data, onlythreatened data, both normal and threatened data, etc.).

Information from the normal space data source 110 and the threatenedspace data source 120 may be provided to a threat detection modelcreation computer 140 that uses this data to create a decision boundary(that is, a boundary that separates normal behavior from threatenedbehavior). The decision boundary may then be used by a threat detectioncomputer 150 executing a threat detection model 155. The threatdetection model 155 may, for example, monitor streams of data from themonitoring nodes 130 comprising data from sensor nodes, actuator nodes,and/or any other critical monitoring nodes (e.g., monitoring nodes MN₁through MN_(N)), calculate a “feature” for each monitoring node based onthe received data, and “automatically” output a threat alert signal toone or more remote monitoring devices 170 when appropriate (e.g., fordisplay to a user). According to some embodiments, a threat alert signalmight be transmitted to a unit controller, a plant Human-MachineInterface (“HMI”), or to a customer via a number of differenttransmission methods. Note that one receiver of a threat alert signalmight be a cloud database that correlates multiple attacks on a widerange of plant assets. As used herein, the term “feature” may refer to,for example, mathematical characterizations of data. Examples offeatures as applied to data might include the maximum and minimum, mean,standard deviation, variance, settling time, Fast Fourier Transform(“FFT”) spectral components, linear and non-linear principal components,independent components, sparse coding, deep learning, etc. Moreover,term “automatically” may refer to, for example, actions that can beperformed with little or no human intervention. According to someembodiments, information about a detected threat may be transmitted backto the industrial control system.

As used herein, devices, including those associated with the system 100and any other device described herein, may exchange information via anycommunication network which may be one or more of a Local Area Network(“LAN”), a Metropolitan Area Network (“MAN”), a Wide Area Network(“WAN”), a proprietary network, a Public Switched Telephone Network(“PSTN”), a Wireless Application Protocol (“WAP”) network, a Bluetoothnetwork, a wireless LAN network, and/or an Internet Protocol (“IP”)network such as the Internet, an intranet, or an extranet. Note that anydevices described herein may communicate via one or more suchcommunication networks.

The threat detection model creation computer 140 may store informationinto and/or retrieve information from various data stores, such as thenormal space data source 110 and/or the threatened space data source120. The various data sources may be locally stored or reside remotefrom the threat detection model creation computer 140 (which might beassociated with, for example, offline or online learning). Although asingle threat detection model creation computer 140 is shown in FIG. 1,any number of such devices may be included. Moreover, various devicesdescribed herein might be combined according to embodiments of thepresent invention. For example, in some embodiments, the threatdetection model creation computer 140 and one or more data sources 110,120 might comprise a single apparatus. The threat detection modelcreation computer 140 functions may be performed by a constellation ofnetworked apparatuses, in a distributed processing or cloud-basedarchitecture.

A user may access the system 100 via one of the monitoring devices 170(e.g., a Personal Computer (“PC”), tablet, or smartphone) to viewinformation about and/or manage threat information in accordance withany of the embodiments described herein. In some cases, an interactivegraphical display interface may let a user define and/or adjust certainparameters (e.g., threat detection trigger levels) and/or provide orreceive automatically generated recommendations or results from thethreat detection model creation computer 140 and/or threat detectioncomputer 150.

For example, FIG. 2 illustrates a method that might be performed by someor all of the elements of the system 100 described with respect toFIG. 1. The flow charts described herein do not imply a fixed order tothe steps, and embodiments of the present invention may be practiced inany order that is practicable. Note that any of the methods describedherein may be performed by hardware, software, or any combination ofthese approaches. For example, a computer-readable storage medium maystore thereon instructions that when executed by a machine result inperformance according to any of the embodiments described herein.

At S210, a plurality of real-time monitoring node signal inputs mayreceive streams of monitoring node signal values over time thatrepresent a current operation of an industrial asset control system. Atleast one of the monitoring nodes (e.g., controller nodes, etc.) may beassociated with, for example, sensor data, an auxiliary equipment inputsignal, a control intermediary parameter, and/or a control logic value.

At S220, a threat detection computer platform may receive the streams ofmonitoring node signal values and, for each stream of monitoring nodesignal values, generate a current monitoring node feature vector.According to some embodiments, at least one of the current monitoringnode feature vectors is associated with principal components,statistical features, deep learning features, frequency domain features,time series analysis features, logical features, geographic or positionbased locations, and/or interaction features.

At S230, each generated current monitoring node feature vector may becompared to a corresponding decision boundary (e.g., a linear boundary,non-linear boundary, multi-dimensional boundary, etc.) for thatmonitoring node, the decision boundary separating a normal state from anabnormal state for that monitoring node. According to some embodiments,at least one monitoring node is associated with a plurality ofmulti-dimensional decision boundaries and the comparison at S230 isperformed in connection with each of those boundaries. Note that adecision boundary might be generated, for example, in accordance with afeature-based learning algorithm and a high fidelity model or a normaloperation of the industrial asset control system and with any of thecluster-based embodiments described herein. Moreover, at least onedecision boundary may exist in a multi-dimensional space and beassociated with data generated from a dynamic model, design ofexperiments such as, a full factorial design, Taguchi screening design,a central composite methodology, a Box-Behnken methodology, and areal-world operating conditions methodology. In addition, a threatdetection model associated with a decision boundary might, according tosome embodiments, be dynamically adapted based on a transient condition,a steady state model of the industrial asset control system, and/or datasets obtained while operating the system as in self-learning systemsfrom incoming data stream.

At S240, the system may automatically transmit a threat alert signal(e.g., a notification message, etc.) based on results of the comparisonsperformed at S230. The threat might be associated with, for example, anactuator attack, a controller attack, a monitoring node attack, a plantstate attack, spoofing, financial damage, unit availability, a unittrip, a loss of unit life, and/or asset damage requiring at least onenew part. According to some embodiments, one or more response actionsmay be performed when a threat alert signal is transmitted. For example,the system might automatically shut down all or a portion of theindustrial asset control system (e.g., to let the detected potentialcyber-attack be further investigated). As other examples, one or moreparameters might be automatically modified, a software application mightbe automatically triggered to capture data and/or isolate possiblecauses, etc. Note that a threat alert signal might be transmitted via acloud-based system, such as the PREDIX® field agent system. Note thataccording to some embodiments, a cloud approach might also be used toarchive information and/or to store information about boundaries. In yetanother embodiment, alerts may be used to automatically initiate anaccommodation control loop to keep the system running while the attacksare in progression and are under scrutiny.

According to some embodiments, the system may further localize an originof the threat to a particular monitoring node. For example, thelocalizing may be performed in accordance with a time at which adecision boundary associated with one monitoring node was crossed ascompared to a time at which a decision boundary associated with anothermonitoring node was crossed. According to some embodiments, anindication of the particular monitoring node might be included in thethreat alert signal.

Some embodiments described herein may take advantage of the physics of acontrol system by learning a priori from tuned high fidelity equipmentmodels and/or actual “on the job” data to detect single or multiplesimultaneous adversarial threats to the system. Moreover, according tosome embodiments, all monitoring node data may be converted to featuresusing advanced feature-based methods, and the real-time operation of thecontrol system may be monitored in substantially real-time.Abnormalities may be detected by classifying the monitored data as being“normal” or disrupted (or degraded). This decision boundary may beconstructed using dynamic models and may help enable early detection ofvulnerabilities (and potentially avert catastrophic failures) and allowan operator to restore the control system to normal operation in atimely fashion.

Note that an appropriate set of multi-dimensional feature vectors, whichmay be extracted automatically (e.g., via an algorithm) and/or bemanually input, might comprise a good predictor of measured data in alow dimensional vector space. According to some embodiments, appropriatedecision boundaries may be constructed in a multi-dimensional spaceusing a data set which is obtained via scientific principles associatedwith DoE techniques. Moreover, multiple algorithmic methods (e.g.,support vector machines or machine learning techniques) may be used togenerate decision boundaries. Since boundaries may be driven by measureddata (or data generated from high fidelity models), defined boundarymargins may help to create a threat zone in a multi-dimensional featurespace. Moreover, the margins may be dynamic in nature and adapted basedon a transient or steady state model of the equipment and/or be obtainedwhile operating the system as in self-learning systems from incomingdata stream. According to some embodiments, a training method may beused for supervised learning to teach decision boundaries. This type ofsupervised learning may take into account an operator's knowledge aboutsystem operation (e.g., the differences between normal and abnormaloperation).

Note that many different types of features may be utilized in accordancewith any of the embodiments described herein, including principalcomponents (weights constructed with natural basis sets) and statisticalfeatures (e.g., mean, variance, skewness, kurtosis, maximum, minimumvalues of time series signals, location of maximum and minimum values,independent components, etc.). Other examples include deep learningfeatures (e.g., generated by mining experimental and/or historical datasets) and frequency domain features (e.g., associated with coefficientsof Fourier or wavelet transforms). Embodiments may also be associatedwith time series analysis features, such as cross-correlations,auto-correlations, orders of the autoregressive, moving average model,parameters of the model, derivatives and integrals of signals, risetime, settling time, neural networks, etc. Still other examples includelogical features (with semantic abstractions such as “yes” and “no”),geographic/position locations, and interaction features (mathematicalcombinations of signals from multiple monitoring nodes and specificlocations). Embodiments may incorporate any number of features, withmore features allowing the approach to become more accurate as thesystem learns more about the physical process and threat. According tosome embodiments, dissimilar values from monitoring nodes may benormalized to unit-less space, which may allow for a simple way tocompare outputs and strength of outputs.

Thus, some embodiments may provide an advanced anomaly detectionalgorithm to detect cyber-attacks on, for example, key gas turbinecontrol sensors. The algorithm may identify which signals(s) are beingattacked using monitoring node-specific decision boundaries and mayinform a control system to take accommodative actions. In particular, adetection and localization algorithm might detect whether a sensor,auxiliary equipment input signal, control intermediary parameter, orcontrol command are in a normal or anomalous state. Some examples of gasturbine monitoring nodes that might be analyzed include: criticalcontrol sensors (e.g., a generator power transducer signal, a gasturbine exhaust temperature thermocouple signal, a gas turbine speedsignal, etc.); control system intermediary parameters (e.g., generatorpower, gas turbine exhaust temperature, compressor discharge pressure,compressor discharge temperature, compressor pressure ratio, fuel flow,compressor inlet temperature, guide vane angle, fuel stroke reference,compressor bleed valve, inlet bleed heat valve, etc.); auxiliaryequipment input signals (e.g., signals sent to actuators, motors, pumps,etc.); and/or control commands to controller.

Some embodiments of the algorithm may utilize feature-based learningtechniques based on high fidelity physics models and/or machineoperation data (which would allow the algorithm to be deployed on anysystem) to establish a high dimensional decision boundary. As a result,detection may occur with more precision using multiple signals, makingthe detection more accurate with less false positives. Moreover,embodiments may detect multiple attacks on monitoring node data, andrationalize where the root cause attack originated. For example, thealgorithm may decide if a signal is anomalous because of a previoussignal attack, or if it is instead independently under attack. This maybe accomplished, for example, by monitoring the evolution of thefeatures as well as by accounting for time delays between attacks.

A cyber-attack detection and localization algorithm may process areal-time turbine signal data stream and then compute features (multipleidentifiers) which can then be compared to the sensor specific decisionboundary. A block diagram of a system 300 utilizing a sensor specificgas turbine cyber-attack detection and localization algorithm accordingto some embodiments is provided in FIG. 3. In particular, a power plant332 provides information to sensors 334 which helps controllers withelectronics and processors 336 adjust actuators 338. A threat detectionsystem 360 may include one or more high-fidelity physics based models342 associated with the power plant 332 to create normal data 310 and/orthreat data 320. The normal data 310 and threat data 320 may be accessedby a feature discovery component 344 and processed by cluster-baseddecision boundary algorithms 346 to create multiple cluster-baseddecision boundaries 347 and cluster centroids 349 while off-line (e.g.,not necessarily while the power plant 332 is operating). The decisionboundary algorithms 346 may generate a threat model including decisionboundaries for various monitoring nodes. Each decision boundary mayseparate two data sets in a high dimensional space which is constructedby running a binary classification algorithm, such as a support vectormachine using the normal data 310 and threat data 320 for eachmonitoring node signal (e.g., from the sensors 334, controllers 336,and/or the actuators 338).

A real-time threat detection platform 350 may receive the boundariesalong with streams of data from the monitoring nodes. The platform 350may include a feature extraction on each monitoring node element 352, aboundary assignment element 353, and a normalcy decision 354 with analgorithm to detect attacks in individual signals using sensor specificcluster-based decision boundaries, as well rationalize attacks onmultiple signals, to declare which signals were attacked, and whichbecame anomalous due to a previous attack on the system via alocalization module 356. An accommodation element 358 may generateoutputs 370, such as an anomaly decision indication (e.g., threat alertsignal), a controller action, and/or a list of attached monitoringnodes.

During real-time detection, contiguous batches of monitoring node datamay be processed by the platform 350, normalized and the feature vectorextracted. The location of the vector for each signal inhigh-dimensional feature space may then be compared to a correspondingcluster-based decision boundary after assigning to the cluster viaboundary assignment element 353. If it falls within the attack region,then a cyber-attack may be declared. The algorithm may then make adecision about where the attack originally occurred. An attack maysometimes be on the actuators 338 and then manifested in the sensors 334data. Attack assessments might be performed in a post decision module(e.g., the localization element 356) to isolate whether the attack isrelated to any of the sensor, controller, or actuator (e.g., indicatingwhich part of the monitoring node). This may be done by individuallymonitoring, overtime, the location of the feature vector with respect tothe corresponding cluster-based decision boundary. For example, when asensor 334 is spoofed, the attacked sensor feature vector will cross theone cluster-based decision boundary earlier than the rest of the vectorsas described with respect to FIGS. 4 through 6. If a sensor is declaredto be anomalous, and the load command to the auxiliary equipment islater determined to be anomalous, it may be determined that the originalattack, such as signal spoofing, occurred on the sensor 334. Conversely,if the signal to the auxiliary equipment was determined to be anomalousfirst, and then later manifested in the sensor 334 feedback signal, itmay be determined that the signal to the equipment was initiallyattacked.

According to some embodiments, it may be detected whether or not asignal is in the normal operating space (or abnormal space) through theuse of localized decision boundaries and real time computation of thespecific signal features. Moreover, an algorithm may differentiatebetween a sensor being attacked as compared to a signal to auxiliaryequipment being attacked. The control intermediary parameters andcontrol logical(s) may also be analyzed using similar methods. Note thatan algorithm may rationalize signals that become anomalous. An attack ona signal may then be identified.

FIG. 4 illustrates 400 boundaries and feature vectors for variousmonitoring node parameters in accordance with some embodiments. Inparticular, for each parameter a graph includes a first axisrepresenting value weight 1 (“w1”), a feature 1, and a second axisrepresenting value weight 2 (“w2”), a feature 2. Values for w1 and w2might be associated with, for example, outputs from a PrincipalComponent Analysis (“PCA”) that is performed on the input data. PCAmight be one of the features that might be used by the algorithm tocharacterize the data, but note that other features could be leveraged.

A graph is provided for compressor discharge temperature 410, compressorpressure ratio 420, compressor inlet temperature 430, fuel flow 440,generator power 450, and gas turbine exhaust temperature 460. Each graphincludes a hard boundary 412 (solid curve), minimum boundary 416 (dottedcurve), and maximum boundary 414 (dashed curve) and an indicationassociated with current feature location for each monitoring nodeparameter (illustrated with an “X” on the graph). As illustrated in FIG.4, the current monitoring node location is between the minimum andmaximum boundaries (that is, the “X” is between the dotted and dashedlines). As a result, the system may determine that the operation of theindustrial asset control system is normal (and no threat is beingdetected indicating that the system is currently under attack).

FIG. 5 illustrates 500 subsequent boundaries and feature vectors forthese parameters. Consider, for example, a feature vector movement 512for the compressor discharge pressure. Even though feature vector 512has moved, it is still within the maximum and minimum boundaries and, asa result, normal operation of that monitoring node may be determined.This is the case for the first five graphs in FIG. 5. In this example, afeature vector movement 562 for the gas turbine exhaust temperature hasexceeded with maximum boundary and, as a result, abnormal operation ofthat monitoring node may be determined. For example, a threat may existfor the exhaust temperature scale factor, which is a corrective value.The result is that the feature for the intermediary monitoring nodesignal feature vector illustrated in FIG. 5 moves 562 such that it isanomalous. The algorithm detects this cyber-attack, and two parallelactions might be initiated. One action may be post processing of thesignal to discover what was attacked, in this case if the system hasbeen monitoring each exhaust thermocouple, it may conclude that none ofthem are currently abnormal. Therefore, it may be determined thatsomething used to calculate this feature was attacked. The other actionmay be to continually monitor and detect additional attacks. Such anapproach may facilitate a detection of multiple signal attacks.

Given the example of FIG. 5, assume that the gas turbine exhausttemperature signal was attacked. This may cause the system to respond insuch a way so as to put other signals into an abnormal state. This isillustrated 600 in FIG. 6, where the attack has already been detectedand now other signals shown to be abnormal. In particular, featuremovement for the compressor discharge pressure 612, compressor pressureratio 622, compressor inlet temperature 632, and fuel flow 642 have allbecome abnormal (joining the feature vector for the gas turbine exhausttemperature 662). Note that the feature vector for generator power didnot become abnormal. In order to decide whether or not these signals612, 622, 632, 642 are truly currently under attack, a historical batchwith pertinent feature vector information may be kept for some durationof time. Then when an attack is detected on another signal, this batchis examined, and the time at which the confirmed attack on gas turbineexhaust temperature as well as several subsequent elements is analyzed.

Note that one signal rationalization might be associated with a systemtime delay. That is, after a sensor is attacked there might be a periodof time before the system returns to a steady state. After this delay,any signal that becomes anomalous might be due to an attack as opposedto the system responding.

The current methods for detecting abnormal conditions in monitoringnodes are limited to FDIA (which itself is very limited). Thecyber-attack detection and localization algorithms described herein cannot only detect abnormal signals of sensors, but can also detect signalssent to auxiliary equipment, control intermediary parameters and/orcontrol commands. The algorithm can also understand multiple signalattacks. One challenge with correctly identifying a cyber-attack threatis that it may occur with multiple sensors being impacted by malware.According to some embodiments, an algorithm may identify in real-timethat an attack has occurred, which sensor(s) are impacted, and declare afault response. To achieve such a result, the detailed physical responseof the system must be known to create acceptable decision boundaries.This might be accomplished, for example, by constructing data sets fornormal and abnormal regions by running Design of Experiments (“DoE”)experiments on high-fidelity models. A data set for each sensor mightcomprise a feature vector for given threat values (e.g., turbine speed,thermocouple scale factor, etc.). Full factorial, Taguchi screening,central composite and Box-Behnken are some of the known designmethodologies used to create the attack space. When models are notavailable, these DoE methods are also used to collect data fromreal-world power generator systems. Experiments may be run at differentcombinations of simultaneous attacks. In some embodiments, the systemmay detect degraded/faulty operation as opposed to a cyber-attack. Suchdecisions might utilize a data set associated with a degraded/faultyoperating space. At the end of this process, the system may create datasets such as “attack v/s normal” and “degraded v/s normal” for use whileconstructing decision boundaries. Further note that a decision boundarymay be created for each signal using data sets in feature space. Variousclassification methods may be used to compute decision boundaries. Forexample, binary linear and non-linear supervised classifiers areexamples of methods that could be used to obtain a decision boundary.

In some cases, multiple vector properties might be examined, and theinformation described with respect to FIGS. 4 through 6 may be processedto determine if the signal had been trending in a specific direction asthe attack was detected (or if it had just been moving due to noise).Had the signal been uniformly trending as the attack took place, thenthis signal is a response to the original attack and not an independentattack.

Note that an industrial asset control system may be associated withnon-linear operations over a range of operating parameters (e.g., loads,temperatures, etc.). As a result, data variations can be substantial anddetermining when a cyber threat is present based on operation of thecontrol system may be difficult. FIG. 7 illustrates a block diagram viewof a cyber-attack detection system 700 in accordance with someembodiments. In particular, the system 700 illustrates a gas turbine 710(e.g., associated with gas turbine unit controllers) that transmitsinformation about loads (e.g., gas turbine loads, Adaptive Real-timeEngine Simulation (“ARES” loads, etc.) to a load normalization function720. The gas turbine 710 may also transmit information, to modeprocessing 730 (e.g., a gas turbine reported mode of operation) andfeature processing 740 (e.g., gas turbine unit data). As will bedescribed, the load normalization function 720 may transmit a normalizedmonitoring node signal to feature processing 740. Post processing 750may receive information from feature processing 740 and transmit data todecision processing 770 (which can automatically create a cyber-attackwarning based at least in part on data sets received from anormal/attack data sets storage unit 760). Thus, some embodiments maycompute normalized monitoring node signals dynamically based on turbineload or temperature levels and temporal time-series signals. Thisnormalization may provide capabilities to perform attack detection fordifferent load conditions.

Note that embodiments might utilize temporal and/or spatialnormalization. Temporal normalization may provide normalization along atime axis. Spatial normalization may be used to normalize signals alongmultiple nodes (e.g., sensor axis). In either case, the normalizedsignals may then be used to perform attack detection using featureextraction and comparisons to decision boundaries. Sensor, actuator, andcontroller node time-series data may be processed in substantiallyreal-time to extract “features” from this data. The feature data maythen be compared to a decision boundary to determine if a cyber-attackhas occurred to the system. A similar approach may be used for detectingattacks in spatially normalized data.

The processing of the real-time data may utilize the normal operatingpoint of the gas turbine 710. This normal operating point might bedetermined, for example, based on system operating modes, externalconditions, system degradation factor, fuel input, etc. The real-timemeasured sensor data, actuator data, and controller nodes data may beprocessed such that a difference between actual and nominal values iscomputed and this difference, or delta, is normalized with the expectedoperating conditions coefficients. Note that turbine load level (e.g.,as represented by Mega Watts (“MW”)) may be computed based on multiplemeasurements, and a load may be estimated from an adaptive real timeengine model.

According to some embodiments, the following may be performed off-line(not real time). For a given turbine mode, the gas turbine 710 operationmay be simulated using high fidelity models. The load level may bechanged from a lowest operating point to a highest operating point(e.g., using step changes every predefined time interval). Thissimulated data produces a number of normal running data files at varyingload levels. Taking one of these files, the load level may be averagedand categorized into a pre-defined load level resolution (e.g., averagedto the nearest 0.25 MW). Using these normalization packets as an inputto processing of the time series signals may facilitate dynamicnormalization when running in real time. These outputs from the dynamicnormalization process may then be then used in a feature discoveryprocess.

FIG. 8 is an example of a global threat protection system 800 inaccordance with some embodiments. In particular, system includes threegenerators (A, B, and C) and batches of values 810 from threat nodes arecollected for each generated over a period of time (e.g., 30 to 50seconds). According to some embodiments, the batches of values 810 fromthreat nodes overlap in time. The values 810 from threat nodes may, forexample, be stored in a matrix 820 arranged by time (t₁, t₂, etc.) andby type of threat node (S₁, S₂, etc.). Feature engineering components830 may use information in each matrix 820 to create a feature vector840 for each of the three generators (e.g., the feature vector 840 forgenerator C might include FS_(C1), FS_(C2), etc.). The three featurevectors 840 may then be combined into a single global feature vector 850for the system 800. Interaction features 860 may be applied (e.g.,associated with A*B*C, A+B+C, etc.) and an anomaly detection engine 870may compare the result with a decision boundary and output a threatalert signal when appropriate. As will be described, embodiments maytune feature and boundary parameters for both the local feature vectors840 and the global feature vector 850 to improve performance of thethreat detect system 800.

Note that the local and/or global features described with respect toFIG. 8 may be used to select an appropriate decision boundary(separating normal operation from threatened operation) in accordancewith a clustering process. For example, FIG. 9 is a training method forthreat detection according to some embodiments. At S910, features may beextracted and the system may cluster data in feature space at S920. Forexample, a space data source might store, for each of a plurality ofmonitoring nodes, a series of monitoring node values over time thatrepresent a normal operation of the industrial asset control systemand/or a threatened operation of the industrial asset control system. Athreat detection model creation computer, coupled to the space datasource, may receive the series of monitoring node values and generate aset of feature vectors. According to some embodiments, at least some ofthe monitoring node values are associated with a high fidelity equipmentmodel. The threat detection model creation computer may then identify afirst cluster in the set of feature vectors and a second cluster in theset of feature vectors. According to some embodiments, the threatdetection model creation computer may also compute and store a centroidlocation in association with each cluster. Some examples describedherein are associated with two clusters, but embodiments may beassociated with any plurality of clusters. The number of clusters may beselected, for example, during an off-line simulation based on anoptimization of system performance (e.g., to obtain a high detectionrate and low false positive rate).

Note that the identification of clusters described in connection withFIG. 9 might be associated with, for example, a K-means clusteringprocess. As used herein, the term “K-means” clustering process mightrefer to, for example, a method of vector quantization wherein nobservations are partitioned into k clusters. For example, eachobservation might belong to the cluster with the nearest mean (e.g.,serving as a prototype of the cluster). Note that, in some embodiments,a number of clusters may be obtained based on achievable performance asdetermined by Receiver Operating Characteristic (“ROC”) statistics.According to some embodiments, efficient heuristic algorithms may beemployed (e.g., similar to an expectation-maximization algorithm formixtures of Gaussian distributions) to facilitate the clusteringprocess.

At S930, the system may identify cluster data types. If the cluster datatype identified at S930 includes both normal and threatened operationaldata, a two-class, supervised learning process may be performed at S940.As used herein, the term “supervised” learning may refer to, forexample, a machine learning task of inferring a function from trainingdata. The training data may consist of a set of both normal andthreatened data. In supervised learning, each example is a pairconsisting of an input object (typically a vector) and a desired outputvalue. The supervised learning algorithm may analyze the training dataand produce an inferred function, which can be used to categorize dataduring operation of an industrial asset.

If the cluster data type identified at S930 includes only normaloperational data (or only threatened operational data), a one-class,semi-supervised learning process may be performed at S950. As usedherein, the term “semi-supervised” learning may refer to, for example, aprocess between unsupervised learning (without any labeled trainingdata) and supervised learning (with completely labeled training data).

At S960, decision boundaries may be created resulting in a set ofmultiple cluster-based decision boundaries at S970. For example, thesystem may automatically calculate a first potential cluster-baseddecision boundary for a threat detection model based on the firstcluster in the set of feature vectors. Similarly, the system mayautomatically calculate a second potential cluster decision boundary forthe threat detection model based on the second cluster in the set offeature vectors. Note that a pre-set number of potential cluster-baseddecision boundaries might be created based on an achievable optimallevel of detection performance (e.g., ROC statistics such as falsepositive rate, false negative rate, etc.). Cluster centroids may also bestore for use during real-time for assisting feature vectors to acorrect cluster-based decision boundary.

By way of example, FIG. 10 illustrates 1000 clustered data in a twodimensional feature space in accordance with some embodiments. Inparticular, the two dimensional feature space is defined by operationalcharacteristics w1 and w2. A set of cluster one data (represented by “+”icons) and a set of cluster two data (represented by “x” icons) aredisplayed in the space. Further, a centroid location for cluster one1010 and a centroid location for cluster two 1020 may be computed andlocated in the two dimensional space as illustrated in FIG. 10.

Note that some embodiments of the present invention provide a method forgenerating multiple cluster-based decision boundaries for industrialasset cyber-attack detection using data clustering. Such amulti-boundary anomaly detection system may automatically select thecorrect cluster based on the extracted feature vector from currentoperation of the industrial asset. Such cluster-based multiple-decisionboundaries may help achieve improved detection performance (and reducefalse alarms) in the presence of non-linear data and/or skewed data.

For example, real time data may be received from an industrial assetunit controller. The primary features may be extracted from the datausing feature discovery processes as described herein. After featurevectors are constructed for variety of data sets (e.g., simulated orfield-recorded “attack” data, “normal” operating data, etc.), thesevectors are processed to create multiple cluster-based decisionboundaries. According to some embodiments, the extracted feature datavectors are clustered into multiple groups using K-means, K-means++, orany other clustering method. Note that an optimal number of clusters maybe selected based on attack detection performance predicted bysimulations. Each cluster could be a “normal” only cluster, an “attack”only cluster, or a mixed-data cluster.

For example, FIG. 11 illustrates 1100 normal and attack data in atwo-dimensional feature space according to some embodiments. Inparticular, a two dimensional feature space is defined by operationalcharacteristics w1 and w2. A set of normal data for cluster one(represented by “+” icons) and a set of attack data for cluster one(represented by “×” icons) are displayed in the space. Further, acentroid location for cluster one 1110 may be computed and located inthe two dimensional space as illustrated in FIG. 11. FIG. 12 illustrates1200 normal-only data in a two-dimensional feature space in accordancewith some embodiments. As before, a two dimensional feature space isdefined by operational characteristics w1 and w2. A set of normalcluster two data (represented by “+” icons) is displayed in the space.Note that in this example, the locations of normal cluster two datamight occur within multiple groups (e.g., three areas as illustrated inFIG. 12). Further, a centroid location for cluster two 1210 may becomputed and located in the two dimensional space as illustrated in FIG.12.

In general, the system may create a hypersphere around the normaloperating points and, as a result, what is outside of that definedregion might be considered abnormal (or “threatened”). That is, based onthe data type(s) in each cluster, a cluster-based decision boundary mayconstructed for each data cluster as follows:

-   -   For mixed-data clusters (containing both normal and attack        training data) a supervised learning method (two-class) is used;    -   For normal only (or attack only) clusters, a semi-supervised        learning (one-class) may be used. The semi-supervised learning        model might be, for example, a one-class Support Vector Machine        (“SVM”) process, a K-Nearest Neighbor (“KNN”) algorithm, or any        other semi-supervised learning technique.

During operation of the industrial asset, for each observation, theclosest cluster may be selected (based on an observation distance infeature space to centroid) in the cluster assignment algorithm (e.g.,cluster distance computation) module 353, and the boundary associatedwith that selected cluster may be used to detect threatened operation.Note that the same definition of distance may be used as when the datawas clustered (e.g., Euclidian, city-block, etc.).

FIG. 13 is an operating method for threat detection according to someembodiments. In particular, observation is performed at S1310 anddistances to cluster centroids (also called cluster assignment) arecomputed at S1320. For example, a plurality of real-time monitoring nodesignal inputs may receive streams of monitoring node signal values overtime that represent a current operation of the industrial asset controlsystem. A threat detection computer platform, coupled to the pluralityof real-time monitoring node signal inputs and a threat detection modelcreation computer, may receive the streams of monitoring node signalvalues and, for each stream, generate a current monitoring node featurevector.

The nearest cluster may then be determined at S1330 and used to selectan appropriate cluster-based decision boundary at S1340. For example,the system may select the cluster-based decision boundary that wascreated for the nearest cluster (the boundary separating a normal statefrom an abnormal state for that monitoring node in association with thatcluster).

The selected cluster-based decision boundary can then be used to performanomaly detection at S1350 and a current system status may be generatedand/or transmitted at S1360 (e.g., indicating that the industrial assetis currently experiencing “normal” or “threatened” operation). Forexample, the system may compare the generated current monitoring nodefeature vectors with the selected appropriate cluster-based decisionboundary and automatically transmit a threat alert signal based onresults of those comparisons. The threat alert signal transmission mightbe performed, for example, using a cloud-based system, an edge-basedsystem, a wireless system, a wired system, a secured network, any othertype of communication system. As used herein, the term “threat” mightrefer to, for example, an actuator attack, a controller attack, amonitoring node attack, a plant state attack, spoofing, financialdamage, unit availability, a unit trip, a loss of unit life, assetdamage requiring at least one new part, etc.

Note that a system operation status often cannot be accuratelycategorized using only one decision boundary. A multiple decisionboundary approach may allow for the creation of more accurate decisionmodels and, as a result, more accurate anomaly decisions. Moreover,embodiments described herein may provide for the creation of decisionboundaries when only one-class of data is available (usingsemi-supervised techniques). This will facilitate generation ofboundaries using legacy asset data which might only include normal data(that is, the historical data for an industrial asset might not containany attack data). The definition of an appropriate boundary might beperformed in view of, for example, a Receiver Operating Characteristic(“ROC”), true positives, false positives, true negatives, falsenegatives, an Area Under Curve (“AUC”) value, etc.

The embodiments described herein may be implemented using any number ofdifferent hardware configurations. For example, FIG. 14 is a blockdiagram of an industrial asset control system protection platform 1400that may be, for example, associated with the system 140 of FIG. 1. Theindustrial asset control system protection platform 1400 comprises aprocessor 1410, such as one or more commercially available CentralProcessing Units (“CPUs”) in the form of one-chip microprocessors,coupled to a communication device 1420 configured to communicate via acommunication network (not shown in FIG. 14). The communication device1420 may be used to communicate, for example, with one or more remotemonitoring nodes, user platforms, etc. The industrial asset controlsystem protection platform 1400 further includes an input device 1440(e.g., a computer mouse and/or keyboard to input cluster parametersand/or predictive modeling information) and/an output device 1450 (e.g.,a computer monitor to render a display, provide alerts, transmitrecommendations, and/or create reports). According to some embodiments,a mobile device, monitoring physical system, and/or PC may be used toexchange information with the industrial asset control system protectionplatform 1400.

The processor 1410 also communicates with a storage device 1430. Thestorage device 1430 may comprise any appropriate information storagedevice, including combinations of magnetic storage devices (e.g., a harddisk drive), optical storage devices, mobile telephones, and/orsemiconductor memory devices. The storage device 1430 stores a program1412 and/or a threat detection model 1414 for controlling the processor1410. The processor 1410 performs instructions of the programs 1412,1414, and thereby operates in accordance with any of the embodimentsdescribed herein. For example, the processor 1410 may receive a seriesof monitoring node values (representing normal and/or threatenedoperation of the industrial asset control system) and generate a set ofnormal feature vectors. The processor 1410 may then automaticallydetermine a plurality of potential cluster-based decision boundaries fora threat detection model.

The programs 1412, 1414 may be stored in a compressed, uncompiled and/orencrypted format. The programs 1412, 1414 may furthermore include otherprogram elements, such as an operating system, clipboard application, adatabase management system, and/or device drivers used by the processor1410 to interface with peripheral devices.

As used herein, information may be “received” by or “transmitted” to,for example: (i) the industrial asset control system protection platform1400 from another device; or (ii) a software application or modulewithin the industrial asset control system protection platform 1400 fromanother software application, module, or any other source.

In some embodiments (such as the one shown in FIG. 14), the storagedevice 1430 further stores a local database 1500, global database 1600,and a monitoring node database 1700. Example of databases that may beused in connection with the industrial asset control system protectionplatform 1400 will now be described in detail with respect to FIGS. 15through 17. Note that the databases described herein are only examples,and additional and/or different information may be stored therein.Moreover, various databases might be split or combined in accordancewith any of the embodiments described herein.

Referring to FIG. 15, a table is shown that represents the localdatabase 1500 that may be stored at the industrial asset control systemprotection platform 1400 according to some embodiments. The table mayinclude, for example, entries associated with local features andboundaries of an industrial asset control system. The table may alsodefine fields 1502, 1504, 1506, 1508, 1510 for each of the entries. Thefields 1502, 1504, 1506, 1508, 1510 may, according to some embodiments,specify: an industrial asset identifier 1502, local data 1504, a clusteridentifier 1506, a centroid 1508, and local features and boundaries1510. The local database 1500 may be created and updated, for example,off line (non-real time) when a new physical system is monitored ormodeled.

The industrial asset identifier 1502 may be, for example, a uniquealphanumeric code identifying an industrial asset to be monitored (e.g.,a jet turbine system, manufacturing plant, wind farm, etc.). The localdata 1504 might represent, for example, historical data, high fidelitymodel data, etc. The cluster identifier 1506 and centroid 1508 might,for example, associated a set of feature data with a particular“cluster” located around the centroid 1508 (e.g., a location in twodimensional space, three dimensional space, etc.). The local featuresand boundaries 1510 might represent an appropriate boundary for thecluster (separating normal operation from threatened operation).

Referring to FIG. 16, a table is shown that represents the globaldatabase 1600 that may be stored at the industrial asset control systemprotection platform 1400 according to some embodiments. The table mayinclude, for example, entries associated with global features andboundaries of an industrial asset control system. The table may alsodefine fields 1602, 1604, 1606, 1608 for each of the entries. The fields1602, 1604, 1606, 1608 may, according to some embodiments, specify: anindustrial asset identifier 1602, a global cluster identifier 1604, acentroid 1606, and global features and boundaries 1608. The globaldatabase 1600 may be created and updated, for example, off line(non-real time) when a new physical system is monitored or modeled.

The industrial asset identifier 1602 may be, for example, a uniquealphanumeric code identifying an industrial asset to be monitored andmay be based on, or associated with, the industrial asset identifier1502 in the local database 1500. The global cluster identifier 1604 andcentroid 1606 might, for example, associated a set of global featuredata with a particular “cluster” located around the centroid 1606 (e.g.,a location in two dimensional space, three dimensional space, etc.). Theglobal features and boundaries 1068 might represent an appropriateboundary for the cluster (separating normal operation from threatenedoperation).

Referring to FIG. 17, a table is shown that represents the monitoringnode database 1700 that may be stored at the industrial asset controlsystem protection platform 1100 according to some embodiments. The tablemay include, for example, entries identifying monitoring nodesassociated with a physical system. The table may also define fields1702, 1704, 1706, 1708, 1710, 1712 for each of the entries. The fields1702, 1704, 1706, 1708, 1710, 1712 may, according to some embodiments,specify: a monitoring node identifier 1702, monitoring node values 1704,features 1706, feature vectors 1708, a closest cluster identifier 1710,and a result 1712. The monitoring node database 1700 may be created andupdated, for example, when a new physical system is monitored ormodeled, threat nodes report values, operating conditions change, etc.

The monitoring node identifier 1702 may be, for example, a uniquealphanumeric code identifying a threat node in an industrial assetcontrol system that detects the series of monitoring node values 1704over time (e.g., in batches of 30 to 50 seconds of data). The monitoringnode values 1704 may be used to create the features 1706 and featurevectors 1708 (e.g., in accordance with any of the embodiments describedherein). The closest cluster identifier 1710 might indicate the nearestcluster and might be based on or associated with the cluster identifier1506 in the local database 1500 and/or the global cluster identifier1604 in the global database 1600. The closest cluster identifier 1710may be used, for example, to select an appropriate decision boundary togenerate the result 1712 (e.g., an “attack” or a “normal” indication).

Thus, embodiments may provide an industrial asset with cyber-attackprotection that is able to handle non-linearity and/or data skewing.Moreover, embodiments may provide more accurate sensor/actuator/controlnode attack processing with proper decision boundaries applicable to thedata at each instant. Further, embodiments may allow for the training ofattack detection systems using “normal” only historical data. Passivedetection of indications of multi-class abnormal operations may beimplemented using real-time signals from monitoring nodes. Stillfurther, the detection framework may allow for the development of toolsthat facilitate proliferation of the invention to various systems (i.e.,gas turbines, steam turbines, wind turbines, aviation engines,locomotive engines, power grid, etc.) in multiple geolocations.According to some embodiments, distributed detection systems enabled bythis technology (across multiple types of equipment and systems) willallow for the collection of coordinated data to help detect multi-prongattacks. Note that the feature-based approaches described herein mayallow for extended feature vectors and/or incorporate new features intoexisting vectors as new learnings and alternate sources of data becomeavailable. As a result, embodiments may detect a relatively wide rangeof cyber-threats (e.g., stealth, replay, covert, injection attacks,etc.) as the systems learn more about their characteristics. Embodimentsmay also reduce false positive rates as systems incorporate useful keynew features and remove ones that are redundant or less important. Notethat the detection systems described herein may provide early warning toindustrial asset control system operators so that an attack may bethwarted (or the effects of the attack may be blunted), reducing damageto equipment.

The following illustrates various additional embodiments of theinvention. These do not constitute a definition of all possibleembodiments, and those skilled in the art will understand that thepresent invention is applicable to many other embodiments. Further,although the following embodiments are briefly described for clarity,those skilled in the art will understand how to make any changes, ifnecessary, to the above-described apparatus and methods to accommodatethese and other embodiments and applications.

Note that appropriate clusters may be identified and/or selected by asystem and/or be based on user input. For example, FIG. 18 illustratesan interactive Graphical User Interface (“GUI”) display 1800 that mightdisplay monitoring node information (e.g., including a current featurevector 1810 and decision boundaries selected based on clustering) alongwith a user notification area 1820 that may be used provide informationto an operator, administrator, etc.

Although specific hardware and data configurations have been describedherein, note that any number of other configurations may be provided inaccordance with embodiments of the present invention (e.g., some of theinformation associated with the databases described herein may becombined or stored in external systems). For example, although someembodiments are focused on gas turbine generators, any of theembodiments described herein could be applied to other types of assets,such as dams, the power grid, military devices, etc.

According to some embodiments, information about attack statuses may beinterwoven between different industrial asset plants. For example, onepower plant might be aware of the status of other nodes (in other powerplants) and such an approach might further help thwart coordinatedcyber-threats. In addition to automatic threat detection, someembodiments described herein might provide systems with an additionalcyber layer of defense and be deployable without custom programming(e.g., when using operating data). Some embodiments may be sold with alicense key and could be incorporated as monitoring service. Forexample, boundaries might be periodically updated when equipment at anindustrial asset plant is upgraded.

The present invention has been described in terms of several embodimentssolely for the purpose of illustration. Persons skilled in the art willrecognize from this description that the invention is not limited to theembodiments described, but may be practiced with modifications andalterations limited only by the spirit and scope of the appended claims.

1. A system to protect an industrial asset control system, comprising: aspace data source storing, for each of a plurality of monitoring nodes,a series of monitoring node values over time that represent at least oneof: (i) a normal operation of the industrial asset control system, and(ii) a threatened operation of the industrial asset control system; anda threat detection model creation computer, coupled to the space datasource, to: (i) receive the series of monitoring node values andgenerate a set of feature vectors, and (ii) determine, automatically bythe threat detection model creation computer, a plurality ofcluster-based decision boundaries for a threat detection model.
 2. Thesystem of claim 1, wherein said automatic determination comprises:identifying a first cluster in the set of feature vectors, identifying asecond cluster in the set of feature vectors, automatically calculatinga first potential cluster-based decision boundary for the threatdetection model based on the first cluster in the set of featurevectors, and automatically calculating a second potential cluster-baseddecision boundary for the threat detection model based on the secondcluster in the set of feature vectors.
 3. The system of claim 1, whereinthe series of monitoring node values over time represent only the normaloperation of the industrial asset control system, and said determinationof the plurality of potential cluster-based decision boundaries isassociated with a one-class, semi-supervised learning process.
 4. Thesystem of claim 1, wherein the series of monitoring node values overtime represent only the threatened operation of the industrial assetcontrol system, and said determination of the plurality of potentialcluster-based decision boundaries is associated with a one-class,semi-supervised learning process.
 5. The system of claim 1, wherein theseries of monitoring node values over time represent both the normal andthe threatened operation of the industrial asset control system, andsaid determination of the plurality of potential cluster-based decisionboundaries is associated with a two-class, supervised learning process.6. The system of claim 1, wherein the threat detection model creationcomputer is further to compute and store a centroid location inassociation with each cluster.
 7. The system of claim 1, wherein aplurality of potential cluster-based decision boundaries are associatedwith a first cluster in a set of feature vectors.
 8. The system of claim1, wherein identification of the clusters is associated with a K-meansprocess.
 9. The system of claim 1, wherein a number of clusters isobtained based on achievable performance as determined by ReceiverOperating Characteristic (“ROC”) statistics.
 10. The system of claim 1,wherein at least one of the series of monitoring node values isassociated with a high fidelity equipment model.
 11. The system of claim1, wherein at least one of said identification and automaticdetermination are performed based at least in part on an online updatereceived from a remote industrial asset control system informationsource.
 12. The system of claim 1, further comprising: a plurality ofreal-time monitoring node signal inputs to receive streams of monitoringnode signal values over time that represent a current operation of theindustrial asset control system; and a threat detection computerplatform, coupled to the plurality of real-time monitoring node signalinputs and the threat detection model creation computer, to: (i) receivethe streams of monitoring node signal values, (ii) for each stream ofmonitoring node signal values, generate a current monitoring nodefeature vector, (iii) select an appropriate cluster-based decisionboundary based on distances between a feature vector and clustercentroids, (iv) compare the feature vector to the appropriatecluster-based decision boundary separating a normal state from anabnormal state for that monitoring node in association with a cluster,(v) compare the generated current monitoring node feature vectors withthe selected appropriate cluster-based decision boundary, and (vi)automatically transmit a threat alert signal based on results of saidcomparisons.
 13. The system of claim 12, wherein the threat alert signaltransmission is performed using at least one of: a cloud-based system,an edge-based system, a wireless system, a wired system, a securednetwork, and a communication system.
 14. The system of claim 13, whereinthe threat is associated with at least one of: an actuator attack, acontroller attack, a monitoring node attack, a plant state attack,spoofing, financial damage, unit availability, a unit trip, a loss ofunit life, and asset damage requiring at least one new part.
 15. Acomputerized method to protect an industrial asset control system,comprising: receiving, at a threat detection model creation computerfrom a space data source for each of a plurality of monitoring nodes, aseries of monitoring node values over time that represent at least oneof: (i) a normal operation of the industrial asset control system, and(ii) a threatened operation of the industrial asset control system;generating a set of feature vectors based on the received monitoringnode values; and automatically determining, by the threat detectionmodel creation computer using a series of feature vectors, a pluralityof potential cluster-based decision boundaries for a threat detectionmodel.
 16. The method of claim 15, wherein the series of monitoring nodevalues over time represent only the normal operation of the industrialasset control system, and said determination of the plurality ofpotential cluster-based decision boundaries is associated with aone-class, semi-supervised learning process.
 17. The method of claim 15,wherein the series of monitoring node values over time represent onlythe threatened operation of the industrial asset control system, andsaid determination of the plurality of potential cluster-based decisionboundaries is associated with a one-class, semi-supervised learningprocess.
 18. The method of claim 15, wherein the series of monitoringnode values over time represent both the normal and the threatenedoperation of the industrial asset control system, and said determinationof the plurality of potential cluster-based decision boundaries isassociated with a two-class, supervised learning process.
 19. The methodof claim 15, wherein the threat detection model creation computer isfurther to compute and store a centroid location in association witheach of a plurality of clusters.
 20. The method of claim 15, furthercomprising: receiving, by a threat detection computer platform, streamsof monitoring node signal values over time that represent a currentoperation of the industrial asset control system; for each stream ofmonitoring node signal values, generating, by the threat detectioncomputer platform, a current monitoring node feature vector; selecting,by the threat detection computer platform, an appropriate cluster-baseddecision boundary based on distances between a feature vector andcluster centroids, the appropriate cluster-based decision boundaryseparating a normal state from an abnormal state for that monitoringnode in association with a cluster; comparing, by the threat detectioncomputer platform, the generated current monitoring node feature vectorswith the selected appropriate cluster-based decision boundary; andautomatically transmitting a threat alert signal based on results ofsaid comparisons.
 21. A non-transient, computer-readable medium storinginstructions to be executed by a processor to perform a method ofprotecting an industrial asset control system, the method comprising:receiving, from a space data source for each of a plurality ofmonitoring nodes, a series of monitoring node values over time thatrepresent at least one of: (i) a normal operation of the industrialasset control system, and (ii) a threatened operation of the industrialasset control system; and automatically determining a plurality ofpotential cluster-based decision boundaries for a threat detectionmodel.
 22. The medium of claim 21, wherein execution of the instructionsfurther results in: receiving streams of monitoring node signal valuesover time that represent a current operation of the industrial assetcontrol system; for each stream of monitoring node signal values,generating a current monitoring node feature vector; selecting anappropriate cluster-based decision boundary based on distances between afeature vector and cluster centroids, the appropriate cluster-baseddecision boundary separating a normal state from an abnormal state forthat monitoring node in association with a cluster; comparing thegenerated current monitoring node feature vectors with the selectedappropriate cluster-based decision boundary; and automaticallytransmitting a threat alert signal based on results of said comparisons.